adding flowchart for inbound communication to the workspace

msakande · msakande · commit e41ed532a0c7 · 2024-02-27T14:17:45.000-06:00
diff --git a/articles/machine-learning/concept-secure-online-endpoint.md b/articles/machine-learning/concept-secure-online-endpoint.md
@@ -131,16 +131,15 @@ Finally, if your deployment doesn't need to access private Azure resources and y
 #### Inbound communication to the Azure Machine Learning workspace
 
 You can use the `public_network_access` flag of your Azure Machine Learning workspace to enable or disable inbound workspace access. 
-Typically, if you secure inbound communication to your workspace, you also want to secure inbound communication to your managed online endpoint. On the other hand, if your workspace is public, then you might want access to your managed online endpoint to be public.
+Typically, if you secure inbound communication to your workspace (by disabling the workspace's `public_network_access` flag) you also want to secure inbound communication to your managed online endpoint.
 
-The following table shows what kinds of inbound communication are possible for both your workspace and managed online endpoint, based on their `public_network_access` flag settings.
+The following chart shows a typical workflow for securing inbound communication to your Azure Machine Learning workspace and your managed online endpoint. For best security, we recommend that you disable the`public_network_access` flags for the workspace and the managed online endpoint to ensure that both can't be accessed via the public internet. If the workspace doesn't have a private endpoint, you can create one, making sure to include proper DNS resolution. You can then access the managed online endpoint by using the workspace's private endpoint.
 
-| Workspace inbound | Managed online endpoint inbound | Inbound communication |
-| -------- | -------------------------------- | --------- |
-| `public_network_access` is enabled | `public_network_access` is enabled | Public inbound communication to workspace and managed online endpoint. <br>No private endpoint needed for inbound communication. |
-| `public_network_access` is enabled | `public_network_access` is disabled | Public inbound communication to workspace. <br>No inbound communication possible to managed online endpoint, since workspace has no private endpoint connection. |
-| `public_network_access` is disabled | `public_network_access` is enabled | Private inbound communication to workspace. <br>Workspace and public can send inbound communication to managed online endpoint. |
-| `public_network_access` is disabled | `public_network_access` is disabled | Private inbound communication to workspace and managed online endpoint. Workspace's private endpoint is needed for inbound communication to both. |
+:::image type="content" source="media/concept-secure-online-endpoint/network-isolation-flowchart.png" alt-text="A screenshot showing a typical workflow for securing inbound communication to your workspace and managed online endpoint." lightbox="media/concept-secure-online-endpoint/network-isolation-flowchart.png":::
+
+[!INCLUDE [machine-learning-add-dns-records](includes/machine-learning-add-dns-records.md)]
+
+For more information on DNS resolution for your workspace and private endpoint, see [How to use your workspace with a custom DNS server](how-to-custom-dns.md).
 
 ## Appendix
 
diff --git a/articles/machine-learning/how-to-custom-dns.md b/articles/machine-learning/how-to-custom-dns.md
@@ -111,9 +111,7 @@ The Fully Qualified Domains resolve to the following Canonical Names (CNAMEs) ca
 
 The FQDNs resolve to the IP addresses of the Azure Machine Learning workspace in that region. However, resolution of the workspace Private Link FQDNs can be overridden by using a custom DNS server hosted in the virtual network. For an example of this architecture, see the [custom DNS server hosted in a vnet](#example-custom-dns-server-hosted-in-vnet) example.
 
-> [!NOTE]
-> Managed online endpoints share the workspace private endpoint. If you are manually adding DNS records to the private DNS zone `privatelink.api.azureml.ms`, an A record with wildcard
-> `*.<per-workspace globally-unique identifier>.inference.<region>.privatelink.api.azureml.ms` should be added to route all endpoints under the workspace to the private endpoint.
+[!INCLUDE [machine-learning-add-dns-records](includes/machine-learning-add-dns-records.md)]
 
 ## Manual DNS server integration
 
diff --git a/articles/machine-learning/includes/machine-learning-add-dns-records.md b/articles/machine-learning/includes/machine-learning-add-dns-records.md
@@ -0,0 +1,11 @@
+---
+author: msakande
+ms.service: machine-learning
+ms.topic: include
+ms.date: 02/27/2024
+ms.author: mopeakande
+---
+
+> [!NOTE]
+> Managed online endpoints share the workspace's private endpoint. If you're manually adding DNS records to the private DNS zone `privatelink.api.azureml.ms`, an A record with wildcard
+> `*.<per-workspace globally-unique identifier>.inference.<region>.privatelink.api.azureml.ms` should be added to route all endpoints under the workspace to the private endpoint.
diff --git a/articles/machine-learning/media/concept-secure-online-endpoint/network-isolation-flowchart.png b/articles/machine-learning/media/concept-secure-online-endpoint/network-isolation-flowchart.png
